Query Details
Device Detect Registry Tampering
Query
//Detect when a user or process attempts to tamper with Defender for Endpoint registry settings
//Data connector required for this query - M365 Defender - Device* tables
DeviceEvents
| where ActionType == "TamperingAttempt"
| extend OriginalRegistryValue = tostring(AdditionalFields.OriginalValue)
| extend Status = tostring(AdditionalFields.Status)
| extend TamperingAction = tostring(AdditionalFields.TamperingAction)
| extend AttemptedRegistryValue = tostring(AdditionalFields.TamperingAttemptedValue)
| extend TargetRegistryKey = tostring(AdditionalFields.Target)
| where TamperingAction == "RegistryModification"
| project
TimeGenerated,
DeviceName,
TamperingAction,
Status,
OriginalRegistryValue,
AttemptedRegistryValue,
TargetRegistryKey,
InitiatingProcessAccountName,
InitiatingProcessCommandLineExplanation
This query detects any attempts made by a user or process to modify the registry settings of Defender for Endpoint. It uses the M365 Defender - Device* tables as the data source. The query filters for events where the ActionType is "TamperingAttempt" and the TamperingAction is "RegistryModification". It then extracts and displays various fields such as TimeGenerated, DeviceName, TamperingAction, Status, OriginalRegistryValue, AttemptedRegistryValue, TargetRegistryKey, InitiatingProcessAccountName, and InitiatingProcessCommandLine.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,TamperingAttempt,OriginalRegistryValue,Status,TamperingAction,AttemptedRegistryValue,TargetRegistryKey,TimeGenerated,DeviceName,InitiatingProcessAccountName,InitiatingProcessCommandLine
Operators
whereextendtostringproject